4881 – GnuTLS needs to be updated.

Bug 4881 - GnuTLS needs to be updated.

Summary: GnuTLS needs to be updated.

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Build system (show other bugs)
Version:	4.1.0
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.2.0
Assignee:	Pierre Ossman

URL:
Keywords:	hean01_tester, prosaic

Depends on:
Blocks:

Reported:	2013-11-01 10:51 CET by Henrik Andersson
Modified:	2014-04-01 16:05 CEST (History)
CC List:	0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Henrik Andersson cendio

2013-11-01 10:51:00 CET

Current buildsystem uses version 3.2.4 two releases behind upstream.

Version 3.2.6 (released 2013-10-31)
- libgnutls: Support for TPM via trousers is now enabled by default.
- libgnutls: Camellia in GCM mode has been added in default priorities,
  and GCM mode is prioritized over CBC in all of the default priority strings.
- libgnutls: Added ciphersuite GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384.
- libgnutls: Fixed ciphersuites
    GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384,
    GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 and
    GNUTLS_PSK_CAMELLIA_128_GCM_SHA256. Reported by Stefan Buehler.
- libgnutls: Added support for ISO OID for RSA-SHA1 signatures.
- libgnutls: Minimum acceptable DH group parameters were increased to
  767 bits from 727.
- libgnutls: Added function to obtain random data from PKCS #11 tokens.
- gnulib: updated.
- libdane: Fixed a one-off bug in dane_query_tlsa() introduced by the
  previous fix. Reported by Tomas Mraz.
- p11tool: Added option generate-random.
- API and ABI modifications: gnutls_pkcs11_token_get_random: Added

Version 3.2.5 (released 2013-10-23)
- libgnutls: Documentation and build-time fixes.
- libgnutls: Allow the generation of DH groups of less than 700 bits.
- libgnutls: Added several combinations of ciphersuites with SHA256 and
  SHA384 as MAC, as well as Camellia with GCM.
- libdane: Added interfaces to allow initialization of dane_query_t
  from external DNS resolutions, and to allow direct verification of a
  certificate chain against a dane_query_t. Contributed by Christian Grothoff.
- libdane: Fixed a buffer overflow in dane_query_tlsa(). This could be
  triggered by a DNS server supplying more than 4 DANE records. Report and
  fix by Christian Grothoff.
- srptool: Fixed index command line option. Patch by Attila Molnar.
- gnutls-cli: Added support for inline commands, using the
  --inline-commands-prefix and --inline-commands options. Patch by Raj Raman.	
- certtool: pathlen constraint is now read correctly. Reported by
  Christoph Seitz.

Comment 1 Pierre Ossman cendio

2014-02-14 10:24:56 CET

GnuTLS and friends upgraded in r28427. Will do a quick test of tlstunnel and tl-certtool before I close this.

Comment 2 Pierre Ossman cendio

2014-02-24 13:35:03 CET

tlstunnel works fine, and tlclient can parse several of the cards I have at my disposal.

Comment 3 Henrik Andersson cendio

2014-03-17 09:54:05 CET

Missing update package for win32 and osx32 GnuTLS:

rpm -qa | grep cendio | grep gnutls
cendio-build-gnutls-solsparc-3.2.11-1.noarch
cendio-build-gnutls-win32-2.8.6-1.noarch
cendio-build-gnutls-i386-3.2.11-1.noarch
cendio-build-gnutls-x86_64-3.2.11-1.noarch
cendio-build-gnutls-osx32-2.8.6-1.noarch

Comment 4 Pierre Ossman cendio

2014-03-17 10:54:17 CET

(In reply to comment #3)
> Missing update package for win32 and osx32 GnuTLS:
> 
> rpm -qa | grep cendio | grep gnutls
> cendio-build-gnutls-solsparc-3.2.11-1.noarch
> cendio-build-gnutls-win32-2.8.6-1.noarch
> cendio-build-gnutls-i386-3.2.11-1.noarch
> cendio-build-gnutls-x86_64-3.2.11-1.noarch
> cendio-build-gnutls-osx32-2.8.6-1.noarch

gnutls is only used by the server. No idea why you have those installed. :)

Comment 5 Henrik Andersson cendio

2014-03-17 10:58:56 CET

All is in order...

Note You need to log in before you can comment on or make changes to this bug.